Subject: Re: Autoblocking sites after ssh probes
To: Martin Husemann <>
From: Mike M. Volokhov <>
List: current-users
Date: 01/28/2005 09:30:56
On Thu, 27 Jan 2005 23:29:42 +0100
Martin Husemann <> wrote:

> Now, here is the question: does anyone know of a tool to automagically recognize
> this sequence of logs that temporarily adds the coresponding block rules to 
> ipf and expires them after, say, 24 hours?
> Is there anything wrong from a security point of view with this aproach?
> It's not a protection in itself, and it's just one common attack (out of 
> hundreds, I guess). But maybe as an additional obstacle?

IMHO, it sould be done by ssh itself. The blocking should occurs in case
of login probes only, but ssh only knows, is this a probes or not. To
prevent possible DoS, it may contain a list of non-DoS IPs to avoid such

Another idea is block all by default and use something like port
knocking to grant access, as it was already proposed by Daniel.